Overview
Vendor Notes:
-= ev0luti0n HTTP keylogger 2.0 beta =-
~ expl0it_shad0w ~
Introduction
Hey again all, im back with ehks v2beta. Ive changed this version alot. It seems by the feedback you guys gave me last time, that v1 wasent good. Most of the feedback was negative and it didnt work. And alot of you infected your selfs and asked me about where to find the missing (.dll). There was never a missing (.dll), it was a fake error meesage, like I stated in the readme file. Anyway Ive took out the fake error message this time, so you might have to bind it with another application/jpeg or whatever.
NOTE: DONT OPEN SERVER.EXE unless you want to infect your self....
Instructions
Follow these instructions.
1. Rename "Sever.exe" to what ever you want, make it convincing, not like "TROJAN.exe" or "KEYLOGGER.exe".
2. Send it to them and tell them its a new hacking tool, NOTE: Try binding it with a real one. If you know how.
( Once the victim opens it, it hides in memory and records all the key stokes on the computer, so you can view them with an Internet Browser like MSIE. )
3> Connect to there machine on port 80 with an Internet browser, as stated above. Type in there IP address into it and just hit Enter. For example if the victims IP address was 127.0.0.1 you type in http://127.0.0.1 or just 127.0.0.1. There IP WONT be 127.0.0.1.
(or)
If you have Physical Machine Access, rather than remote, you can just opne up an internet browser on there machine and type in http://127.0.0.1 and this should bring it up.
Features/Misc
Heres whats been added in version 2beta.
* Better Stealthing code - hopefully wont crash.
* Better Keylogging code - you can now see the windows handle and what they are typing in it.
* Better HTML log file - much more user friendly.
* Added Anti-firewall/Anti-AntiVirus - this will hopefully stop most firewalls and anti-viruses.
expl0it_shad0w
ehks v2.1 is simply a keylogger which lets you check the log files remotely via a web browser (e.g, Internet Explorer) Connect to there machine on port 80 with an Internet browser. This version is 100% Different, ive completely re-built it.
Supported Version of Windows, * win9x - Ive only tested on a 9x box, so if you guys are gonna test on a different machine, let me know im uncertain as to weather or nto it works win XP, some beta testers say yes, some say no, im looking, into this for the next version. The keylogger doesnt run under NT, I have tried, but feel free to try for your selfs, and give me feedback on the result.
Features/Misc
Ehks has been 100% re-built. Heres whats been added/changed in version 2.1.
* Better Stealthing code - hopefully wont crash.
* Changed Keylogging code - you can now see the windows handle.
* Changed HTML log file - alot better, so people have said anyway.
* Added Anti-firewall/Anti-AntiVirus - this will stop most firewalls and AVS's
* Added Function to get dialup, share, and other chached passwords.
* Added Function to get Machine Info
* Multi-Log File Support - all log files have there own unique filename
* Added Mutex usegae, to stop cant write to file error's hopefully
expl0it_shad0w
Alias:
Category:
Key Logger: (Keystroke Logger). A program that runs in the background, recording all the keystrokes. Once keystrokes are logged, they are hidden in the machine for later retrieval, or shipped raw to the attacker. The attacker then peruses them carefully in the hopes of either finding passwords, or possibly other useful information that could be used to compromise the system or be used in a social engineering attack. For example, a key logger will reveal the contents of all e-mail composed by the user. Keylog programs are commonly included in rootkits and RATs (remote administration trojans).
Variants:
Similar Pests:
Origins
Author:
Group:
By This Group:
Date of Origin:
Distribution
Prevalence:
Clot Factor:
The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone.
Countries Affected:
Growth:
Operation
Default Port:
Storage Required:
Restart:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "YMUpdater" 2.1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "SpoolerSubSystemProcess"
Autostarting Pests
Risks
Detection Issues:
Detection and Removal
Automatic Removal:
PestPatrol detects this.
PestPatrol removes this.
Manual Removal:
Kill these running processes with Task Manager:
Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\spoolersubsystemprocess, delete it and reboot the machine immediately.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ymupdater, delete it and reboot the machine immediately.
Remove these registry items (if present) with RegEdit:
Remove these files (if present) with Windows Explorer:
Research
File Analyses:
- Ehks 2.1: ehks21.exe · readme.txt · server.exe
- Ehks 2.2: client.exe · readme.txt · server.exe